Archive for May 12th, 2014

From a security perspective, phishing attempts are pretty much old hat. In most cases, phishing attempts or attacks focus on getting one particular credential, such as those for credit cards or user accounts. We are now seeing cybercriminals attempt to get more credentials by using phishing pages that allow for multiple email logins.

Multiple Logins Allowed

We came across some shortened URLs that lead users are lead to phishing pages that mimic popular sites, including Facebook, Google Docs (now known as Google Drive), OneDrive, and several property websites. In order to proceed, users must log in using their email address.

Figure 1. Log in page featuring different email providers

The unique feature about these phishing pages is that they include options for several email providers. Users can log in using any of their accounts in Yahoo, Gmail, AOL, and Windows Live. There is even an “other emails” option, in case the user’s preferred email provider is not given. It’s interesting to note that the pages accept any words or even gibberish typed in—a sure sign that the pages are more concerned with collecting data.

After signing in, users may encounter a “loading” or “server error” notification before they are led to the actual site. For example, users who visit the “Google Docs” site are led to a shared document about intentions for prayers.

Figure 3. Document hosted in Google Docs

Phishing Steps Up

This particular phishing scheme shows that cybercriminals are still refining their techniques. In this case, the cybercriminals took the extra steps to make sure the scheme appears as legitimate as possible (e.g., the redirection to legitimate sites, the use of an actual document for Google Docs).

Users should be wary of clicking shortened URLs, especially if they come from unverified sources. It’s recommended that they simply use bookmarks or type in the site’s URL directly into the address bar to avoid phishing pages. They should also double-check a site’s URL before they give out any user information; it has become all too easy for bad guys to create login pages that are near-identical to legitimate ones.

We’ve recently found a vulnerability in certain Android apps that may leave user data at risk of being captured or being used to launch attacks. The two affected apps we investigated are both highly popular:

The productivity app has at least 10M installs and hundred thousands of customer reviews based on their download page

The shopping-related app has at least 1M installs and several thousand customer reviews based on their download page

This issue lies in a certain Android component which basically executes functions of the app. This component has an attribute named “android:exported“, which, when set to “true”, allows this component to be executed or accessed by other applications. This means that apps installed within a device may be able to trigger certain functions in other apps. This has obvious convenient uses for developers and vendors who want to strike partnerships with apps by other vendors, but from a security standpoint, this also poses an opportunity for cybercriminals.

Using Activities to Launch Attacks

Ways to exploit this issue may vary, depending on the intent of the attacker and the nature of the vulnerable application. As an example, in our analysis, we found that a particular Activity in a shopping app –one related to showing pop-ups whenever the user makes a purchase– is vulnerable to abuse and can be triggered by other apps.

A possible implication of this is that a malicious application can display pop-ups in the shopping app and use it to launch attacks. The attacker may craft the malicious application to display pop-ups that lead to malicious links or other malicious apps.

Using Content Providers to Steal Information

Another possible way to take advantage of this security issue is to target content providers that handle critical information in order to collect them. A content provider related to storing user input in a productivity app, for example, may be used to capture data.

Such content provider that can be considered as critical may be protected by defining permissions. However, not putting the proper permission protection level can still leave the content provider vulnerable to abuse. In the mentioned productivity app, the content provider to store user input was protected by READ and WRITE permissions. However, both permissions were given “normal” protection level, which means that all applications installed in the device are granted the two permissions as well.

What Can Be Done?

For developers, this issue highlights the importance of putting the appropriate restrictions in the different components of apps. Components that are prone to abuse should be protected with permissions — and with the proper protection level. As we’ve reported in the past, using protection levels in order to secure Android components may not be fool-proof, but it offers a good level of security.

We strongly advise developers to check components used in their app and make sure that access to them are restricted properly. We’ve already reached out to the developers of the apps mentioned above and informed them of this issue. We believe that some other popular apps may be affected and we will work to inform them as we encounter them.

Update as of June 1, 2013, 7:15 PM PDT:

Trend Micro is working closely with the vendors and developers that were initially found to be affected by the vulnerability discussed. This does not imply that these are the only apps affected, though, hence the names were not disclosed.

We are working with the vendors of these affected apps to responsibly disclose details about this vulnerability in the near future. This blog entry is meant for other app developers to immediately learn about the vulnerability before full disclosure, in order to check whether or not their apps are likewise affected.

Vulnerabilities, particularly zero-days, are often used by threat actors as the starting point for targeted attacks. This was certainly the case for a (then) zero-day vulnerability (CVE-2014-1761) affecting Microsoft Word. In its security advisory released last March, Microsoft itself acknowledged that the vulnerability was being used in “limited, targeted attacks.” Microsoft has since patched this vulnerability as part of its April Patch Tuesday.

However, the existence of a patch has not deterred threat actors from exploiting this vulnerability. We are still seeing targeted attacks that leverage this particular vulnerability as part of their campaigns.

The Taidoor Connection

We came across 2 attacks that targeted government agencies and an educational institute in Taiwan. The first attack used an email with a malicious attachment supposedly sent by a government employee. The attachment used a title pertaining to a national poll to appear legitimate. The attachment is actually the exploit, detected as TROJ_ARTIEF.ZTBD-R. It drops a file detected as BKDR_SIMBOTDRP.ZTBD-R, which then drops two files — TROJ_SIMBOTLDR.ZTBD-R and TROJ_SIMBOTENC.ZTBD-R. These two files finally lead to the final payload detected as BKDR_SIMBOT.SMC.

Figure 1. Email sample

The second attack targeted an educational institute, also in Taiwan. This run used an email attachment to gain access to the recipient’s computer and network. The email message discussed free trade issues, while the attachment had a title about a work project. Similar to the first case, the attachment is also an exploit detected as TROJ_ARTIEF.ZTBD-PB. It drops a backdoor component detected as BKDR_SIMBOT.ZTBD-PB. Once executed, this malware can perform commands such as search for files to steal, exfiltrate any file of interest, as well as perform lateral movement.

Figure 2. Email sample

We have determined that these two attacks have ties to the Taidoor — a campaign that has been active since 2009 — through the similar network traffic structure. The attacks described above have the same characteristics as previous runs in terms of target, social engineering lure, as well as techniques used (using a zero-day vulnerability).

The PlugX Payload

Another attack we saw used CVE-2012-0158 and targeted a mailing service in Taiwan. Just like the other attacks, this run uses an email attachment as the entry point to the network. The email attachment pretends to be a list about new books from a particular publishing house. This was done to try and pique the recipient’s interest.

Figure 3. Email sample

This attachment is actually the exploit detected as TROJ_ARTIEF.ZTBD-A which drops a PlugX malware detected as TROJ_PLUGXDRP.ZTBD. It drops a file detected as BKDR_PLUGX.ZTBD, which has the capability to perform a wide range of information stealing routines, including:

Copy, move, rename, delete files

Create directories

Create files

Enumerate files

Execute files

Get drive information

Get file information

Open and modify files

Log keystrokes and active window

Enumerate TCP and UDP connections

Enumerate network resources

Set TCP connection state

Lock workstation

Log off user

Restart/Reboot/Shutdown system

Display a message box

Perfrom port mapping

Enumerate processes

Get process information

Terminate processes

Enumerate registry keys

Create registry keys

Delete registry keys

Copy registry keys

Enumerate registry entries

Modify registry entries

Delete registry values

Screen capture

Delete services

Enumerate services

Get service information

Modify services

Start services

Perform remote shell

Connect to a database server and execute SQL statement

Host Telnet server

PlugX malware is a remote access tool (RAT) used in targeted attacks aimed toward government-related institutions and key industries. PlugX may allow remote users to perform data theft routines on the affected system. PlugX can give attackers complete control over a system.

Employing Countermeasures

Patching should remain a top priority for regular users and enterprises alike. Installing patches as soon as they are made available can help organizations against attacks that exploit vulnerabilities. Enterprises should also consider virtual patching as they can help mitigate threats in the presence of zero-days and unsupported systems.

Employee education is also a key element in protecting against targeted attacks. For email attacks that still get through, proper end-user training can help identify possible suspicious activity and/or emails. Users need to be taught to make their fellow employees aware of suspect e-mails in order to improve awareness and enhance defenses throughout the organization.